How to protect against web-based email accounts attack?

Some of my friends, their Hotmail account were being hacked and use to send spam mails. Some of their account password were even being changed and they are unable to access it.

Some of them contacted Microsoft to assist and have their password reset, some of them created a new account and re-add their friends.

Rarely, I would even receive friends invitation (accept / decline, etc.) from unknown people with suspicious email address. When you accept them, you would never see them online or the account is not available in facebook or friendster.

In the past, I would even receive junk message (link to threats, etc.) from friends account through Windows Live Messenger. So far I have not receive this for quite some time, so it's ok. I would advise friends who are affected to change their account password, but I am unsure whether would it work?

Why does this happens and how to protect our account from being attacked / make use of?

Cheers

Peter(Current: W520 4284-A99) (Refunded: W510 4876-A11)

=============================================Does someone’s post help you? Give them kudos as a reward, as they will do better to improve

Mark it as solved if the solution works for you, so it could be reference for others in the future

Re: How to protect against web-based email accounts attack?

Password compromises of web-based services most often occur because of three reasons:

A database containing information such as email addresses and/or usernames and passwords was stolen, and the passwords were stored in plain text or some other easily-recoverable format. Even if the database was taken from another service, if it contained email addresses and passwords, an attacker could try using those together to gain access to email and other accounts.

The password was "sniffed" (recorded) when it was sent over an unsecure network connection, such as a public Wi-Fi hotspot. Most online services (webmail, instant messaging and so forth) require a secure connection in order to logon, but it is possible for an attacker to monitor traffic, fake login screens, possibly redirect to a non-secure login and so forth.

The password was guessed by a "bruteforce" attack. Computers are great for handling automated, repetitive tasks, and guessing a password by trying the most likely combinations of letters, numbers and punctuation marks is something they excel at. Computers and network connections are so fast these days, that it is trivial for them to make guessing attacks against common words, phrases and alphanumeric subsitutions (the number "1" for the letter "L", the number "3" for the letter "E" and so forth) that it is more secure to use a longer passphrase.

My suggestion would be to avoid invites from suspicious accounts on instant messengers, social media and so forth. If you get a suspicious message from someone you know, try contacting them out-of-band (i.e., using a different means than they used to contact you, such as by sending them a text message if they sent you an email) to notify them about the suspicious message(s) you received.

Changing the password on a compromised account often works, but it is always a good idea to check with the particular service provider to see if they have any specific or additional recommendations about how to secure the account.

Re: How to protect against web-based email accounts attack?

Great suggestions. One of the things I find troubling is that many of these free services - facebook, gmail, etc, ask for additional personal information to help validate your identity. I struggle with this a bit as it seems counter-intuitive to me. If some of these sites can be hacked, do I want them to store additional information about me ?

Re: How to protect against web-based email accounts attack?

Quote from Mark_Lenovo:"...One of the things I find troubling is that many of these free services - facebook, gmail, etc, ask for additional personal information to help validate your identity. I struggle with this a bit as it seems counter-intuitive to me. If some of these sites can be hacked, do I want them to store additional information about me ?

So far, I resist adding an more information. Am I being too cautious?

Mark"

...Not at all Mark.

A very well known fellow, Benjamin Franklin, said long ago, "An ounce of prevention is worth a pound of cure" which, I believe, is noteworthy with regard to your question. In addition, it should be noted, that same fellow, mentioned above, also said "three can keep a secret, if two of them are dead".

Most web site registration requests require a valid email address and the member's name. Anything beyond that is intrusive for a simple web site "registration" membership just to play a game or view and send email.

There are some other aspects to web site membership you should consider before offering any other information regarding your identity. Some of these would be relative to the "purpose" behind your registration, and what type of web site.

For example...let's say you decide to perform your banking online. Your bank's web site is going to require much more personal information than just an email address and your name. In that example, you can see the need for providing such information. Before you do however, you should make certain the web site has protective features available, starting with the web site protocol itself.

When registering at a web site that requires personal information, look in the address bar of your browser. Make sure the web site address line starts with "HTTPS://".

If it does not, then your personal information is at risk which should bring to mind the above quoted remarks from Mr. Franklin.

Re: How to protect against web-based email accounts attack?

Although Aryeh addressed your question on the why and how password compromises occur, I'd like to add additional information about the issue you raised regarding compromised Hotmail accounts.

Quote:

"Some of my friends, their Hotmail account were being hacked and use to send spam mails. Some of their account password were even being changed and they are unable to access it."

The Hotmail team has incorporated security features designed to protect and recover a Hotmail account. These features include those listed below. In addition, the Hotmail team has rolled out a new security feature that will prevent choosing a very common password when recovering a compromised Hotmail account, signing up for a Hotmail account or when changing your password. Also, if you are already using a common password, you may, at some point in the future, be asked to change it to a stronger password.

1) Designate an alternate e-mail address. Be careful when entering the alternate e-mail address as it will need to be confirmed.

2) Add your mobile phone number and receive a text message with a secret code via SMS that can be used to reset your password and reclaim your account.

3) Create a secret answer (Note: Although providing a "secret answer" is commonly used as a means of recovering accounts, caution needs to be exercised. Using easily determined information as your secret answer, is notadvised. Instead, for sites that still use such common personal information, use consistent false information that you will remember.)

4) Set up a "Trusted PC" -- With a trusted PC added, this becomes the only computer that can be used to recover or change your password from somewhere else. (Note: To add a trusted PC to your account, you need to have Windows Live Essentials installed.)

Re: How to protect against web-based email accounts attack?

When the questions one is asked seem to be... intrusive, I'm a firm believer in providing an answer that I can remember, but is not necessarily truthful. For example, if asked for my birth date, I may give the year I was born, but specify January 1st for the date.

More elaborate answers can be given to questions, especially those required to reset a password, but it is important to store those answers safely offline someplace, so in the event you have forgotten your password or need to change it, you will be able to do so.

In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites. Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer.

Re: How to protect against web-based email accounts attack?

"In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites. Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer."

I've been using this method at home for many years, not only as a reminder for password recovery questions but also as a reminder for web site passwords. Never use the same password at every site. If that site should be compromised, your account information could be readily available to the hacker. Although there are password generating programs, I got into the habit of creating my own unique password for each web site. (This is probably a result a work environment that necessitated changing the password every 30 days. )

Re: How to protect against web-based email accounts attack?

Never use the same password at every site. If that site should be compromised, your account information could be readily available to the hacker.

This is very good advice.

If it is too much hassle to use a different password for every site, then use passwords for different types of sites, e.g. use a very strong password for financial sites, another strong password for email accounts, and an easier password for general site accounts.

Re: How to protect against web-based email accounts attack?

Let me add other techniques that are being used by the bad guys to hack or steal other people's email accounts:

Phishing - is a form of social engineering broadcast attack focused on stealing credentials or identity information from any potential target. You've already cited an example of this technique -- when you received friend invitations from unknown people with suspicious email addresses. That's how others start their phishing attack.

Weak passwords - some users use common words as their passwords -- which is not a good practice. Avoid using simple words like "password", "12345", "admin", "54321", etc. as your password. It will be easy for the bad guys to guess your password if you use a weak password.

Dictionary attack - this is somewhat related to weak passwords. The bad guys will try to use common words to try to guess the password of your account.

Other technques are quite old-fashioned already, but they still work. So you should still be aware of the following:

Eavesdropping - is the act of secretly listening to the private conversation of others without their consent. One example is if you're in a public place, the person besides you might be "secretly" listening to the things that you're saying while you're talking to a friend via your mobile phone, face to face conversation, etc. -- waiting for some important information that you may say that might be of use to them.

Shoulder surfing - this is (or should I say was) very common on Internet cafes wherein the person besides you is waiting for you to type in your password and will monitor the movement of your fingers so that they will determine your credentials.

If you're the kind of person that writes their passwords or important information on a piece of paper, make sure that you store it on a safe place (not under the keyboard, on a ref/monitor post it, etc.). Also, be wary of the "dumpster diving" technique that's still being used by some bad guys.

Dumpster diving - is the act of digging through trash in order to obtain information about a target organization or individual. To prevent dumpster diving (or at least reduce its value), all important documents should be shredded or incinerated before being discarded.

And of course, the last and most important thing is end-user education or awareness. There's a good saying that is very common on social networking sites: "Think before you click"